Intel Security published a rootkit checker tool after WikiLeaks Vault 7 revelations regarding firmware vulnerabilities in popular hardware.
The Vault 7 disclosures state that the CIA has managed to create Extensible Firmware Interface (EFI) rootkits called DarkMatter for MacBook devices. Even though, last week Apple stated that it had addressed “many of the issues” revealed by WikiLeaks, Inter Security still published a tool to check for such rootkits.
EFI is a firmware that replaces the previous BIOS on computers. Several rootkit exploits allow the attacker to inject a code and launch in before the launching of the operating system itself. These rootkits are very hard to detect and they could even outlast hard disk formats due to working on a kernel level.
Inter Security explains that DarkMatter comprises many EFI executables, which it injects into the EFI firmware on the targeted OS at different stages of infection.
If a whitelist of good executables from the firmware image has been generated beforehand, the launching of the new tools.uefi.whitelist module on an OS with infected by DarkMatter EFI firmware will result in a deletion of these extra binaries that the rootkit has added to the firmware. According to Intel Security, the open-source CHIPSEC can protect you against this threat.
